- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative
name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots
of folks with IPv6 connectivity and v4-only recursive DNS servers. I
don't think ISPs will have problems setting aside a handful of IPv4
addresses for authoritative DNS infrastructure to work around this
until v6 transport in recursive DNS servers is common enough.
Not really, having your nameservers be IPv6 enabled is a reasonable thing to do.
But (particularly in an enterprise environment) less important than getting the end-user machines IPv6 enabled.
At least I haven't been convinced otherwise yet... yes, it's reasonable, but at least in my situation it'll probably be after all user facing segments are done.
Also, so far, all IPv6 content whitelisting has been done on the IPv4 address of nameservers... so really, no rush.
You'll see a lot of this. I've done my own little tests on a few
friends' systems, and on public wifi, etc, establishing some sort of
IPv6 connectivity, and trying to resolve a subdomaiin of mine with a
IPv6 only DNS server. Many ISP recursive NS don't have IPv6 transport
yet, so they choke getting to my NS.
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously!
Hmm. Then why did I just replace my airport and my ISP to get functioning IPv6? Hint: 6to4 != IPv6.
even bridged mode broadband service != broadband service (i.e:airport express 6to4 not working on PPPoE)
Bleh, actually it does, and I've never been happier to have not deployed PPPoE or cpe modems in router mode than dealing with IPv6. Yeah, some of the networks I manage but don't make decisions on have breaks for IPv6 (router based modems installed, dslams that are smart and filter bad customer traffic including IPv6, etc). My main vlan per customer layout (or atm per customer depending on equipment management domain) fully bridged to customer works great with IPv6, including my house where I have a linux box which does DHCPv6-PD and despite poor options at least passes out networks.
Still having large issues on transit peers, but they'll fix it eventually, or I'll eventually get circuits to someone who does. Meanwhile, the tunnel works for the limited traffic generated by DNS, a few 6to4 people (generally p2p) and my home and office.
It is likely a bit far from immediate future reality, but, i think it is a
worth while exercise.
Bottom line, if your ISP's resolvers cannot issue queries over IPv6,
that is a problem that is relatively easy for them to solve. It is worth
putting pressure on your ISP to solve that problem.
Ours are currently intentionally configured to not issue queries over IPv6,
because at one time, there were *so many* sites that listed unreachable quad-A
NS records. Our DNS guy is more than willing to revisit that config switch.
Anybody have some statistics on what the current situation is?
>From my PC at home (Cox in Omaha) I can't even get a nameserver that
knows the site.
I should point out that I am really stupid about v6--I don't know if I
should be able to find a nameserver or not.
Has nothing to do about being stupid... let's rephrase your statement
and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that
I should know more, but am a bit confused as to where to begin. What do
I do first?".
You are too kind. Since I no longer administer a network, I've gotten
lazy about keeping up with developments.
And that is stupid.
Then I'd say:
"As a start, go to ARIN IPv6 Wiki - ARIN's Vault . If that
doesn't get you going, then let the rest of the community start posting
the resources that they know about, ranging from beginner up to the
advanced.".
Good and useful advice.
But the message I meant to convey at 0300 in a rainy morning when I
couldn't sleep was "I don't know if a Windows XP (SP3, current patches)
>From my PC at home (Cox in Omaha) I can't even get a nameserver that
knows the site.
Larry... let me explain why. Although you might not understand, others
will, and you may remember this as something when you do use IPv6.
Believe me, nobody can remember everything, and what I'm trying to
achieve here is isolating easy-to-document issues.
It may be above your head at this time, but my objective is to find out
the rough edges, that net ops will be able to identify quickly when
problems arise... much like looking for reckless filtering of ICMP on an
IPv6 network.
It actually all makes sense (not to be confused with "I have a deep and
abiding understanding now").
Why you can't get a name server... because this is how the domain is
configured:
I started to whine about the "misleading" error message I go, but when I
did it again to copy it I see that it was a mix of not-understanding and
of thinking I did:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Owner>tracert onlyv6.com
Unable to resolve target system name onlyv6.com.
C:\Documents and Settings\Owner>
That doesn't say "Unable to locate a nameserver" which I would have bet
it said.
Wuulllll, wait a minute. I didn't get the notion that he was testing to
see if a real-world configuration would work. Most engineering and
science projects don't test the real world (less so now than in times
past, and I don't mean global warming).
It looks like he has designed an experiment to test a narrow range of
conditions that look to be useful for piecing together what the larger
(and largely un-testable) picture might look like.
Has nothing to do about being stupid... let's rephrase your statement
and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that
I should know more, but am a bit confused as to where to begin. What do
I do first?".
Then I'd say:
"As a start, go to ARIN IPv6 Wiki - ARIN's Vault . If that
doesn't get you going, then let the rest of the community start posting
the resources that they know about, ranging from beginner up to the
advanced.".
I'd like to add that I learned a LOT going through HE's "certification"
process,
using it (as apparently intended) as a tutorial.
Given I've been running dual stack nameservers for the last 7 years
and never noticed any real problems I expect his problems are actually
closer to home.
I think part of the point of this is to discover gotchas with our current infrastructure. For example, while diagnosing why I couldn't get onlyv6.com to resolve on one of my name servers but the others worked fine, I discovered that PowerDNS Recursor won't use an IPv6 address for outgoing queries unless you actually give it:
query-local-address6=
One of my name servers had it, the other didn't, hence I was getting failures on one and success on the other. Its little config issues like that that can crop up weeks/months/years later and make life difficult.
Now that I'm a Xen shop, I design domUs to last years at a time rather then rebuilding them constantly. Being able to shunt stable and reliable domU hosts to new dom0 machines when they come up is a great thing, and makes my life alot easier.
Don't quite remember when I started going dual stack on the server side of things, I think it was back in 2006 or 2007. I even have AHBL queries coming in over IPv6 now - of course they are for IPv4 hosts, but thats not the point.
Whats even more interesting, is that on my primary name server, people are sending ICMP echos to my IPv6 address on a fairly consistent basis, making me wonder if someone's using it for testing purposes. If so, makes me happy
No, the problems are probably further back in time. We first started turning up
IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a
decade ago (or whenever people *first* started listing quad-A's in NS entries)
due to breakage and never actually revisited it since then. This would have
been in the era of early 6bone and "your IPv6 connection is probably tromboned
through Tokyo".
Back in that era there was a very real problem of islands. That
is, a group would set up IPv6 internally but never connect to the
"Internet" (however you want to define that). So they got a AAAA
and blackholed trying to reach it.
When you look at the content providers (Yahoo and Google tend to
speak about this) they are very concerned about this problem as end
users can make themselves islands fairly easily (an island of your
house, for instance).
While the numbers are troubling for them, they are actually really
good news. Depending on who's number you believe and when somewhere
between 0.01% and 0.5% of end users are on unconnected islands.
Now, when you serve a billion page views a day, dropping 0.5% is a
huge concern; but it actually means the island problem has gotten
really small.
More importantly, those are end users who are islands. Someone
who's airport is misconfigured making them appear to have IPv6 when
they do not. Most of these folks don't run recursive name servers.
While I don't know of any hard data, I would expect the number of
nameservers in islands to be at least one, and perhaps two or three
orders of magnitude less.
So, in the context of publishing AAAA's for your nameservers, I think
things are extremely safe at this point. If the recursive box on the
other end has IPv6 at all and tries to use the AAAA there is a very good
chance it will have working IPv6.
In the context of publshing AAAA's for your services (e.g. WWW),
you need to look at the Google and Yahoo stats network wide, look
at your own user base, and determine what level of breakage is
acceptable. Keep in mind that IPv4 doesn't always work, so 0% is
an unachieveable goal.
Well google will not serve you an AAAA record if you are not registered with them. This to avoid all the issues above. Once you are registered, expect lot of IPv6 traffic!
